Practical FCPA and U.K. Bribery Act Compliance
Concepts for the Corporate Board Member, C-Suite
Executive and General Counsel
Global AntiCorruption &
Practical FCPA and U.K. Bribery Act
Compliance Concepts for the Corporate
Board Member, C -Suite Executive and
Global Anti-Corruption &
By Thomas Fox and Jon Rydberg
Edited by Nick Briere
Copyright © 2013 Thomas Fox and Jon Rydberg
All rights reserved. No part of this book may be reproduced or transmitted in any
form without the written permission of the author s.
Information in this book is intended for public discussion and educational
purposes only. It does not constitute legal advice and does not create any
attorney-client relationship with the authors.
TABLE OF CONTENTS
Who Should Read This Book
About the Authors
1. Why Comply with Global Anti-Corruption/Anti- Bribery Laws? 8
2. Two Prevailing Laws – The FCPA and U.K. Bribery Act
3. How Do Such Laws Relate to Your Business?
4. Creating Your Anti-Corruption/Anti-Bribery Program
5. Marketing Your Anti-Corruption/Anti-Bribery Program
6. High Risk Areas To Watch
7. Leveraging Internal Controls To Mitigate High Risk Areas
8. When the Government Comes Knocking
9. What Does It All Mean?
Who Should Read This Book
If you “believe” your organization is compliant because: (1) you provided training;
(2) you have an “honest” culture; or (3) because a Federal investigator hasn’t told
you otherwise, you may be putting the corporate enterprise at increased risk. There
is a big difference between being “compliant” and having a “Compliance
This book provides practical lessons pertaining to the FCPA, U.K. Bribery Act and
broader Anti-Corruption / Anti-Bribery standards for Board Members, Chief
Executive Officers, General Counsel and other corporate executives who seek to
lower their enterprise risk profile by learning simple strategies from tested
About the Authors
Thomas Fox, P rincipa l of TomFoxLaw and Author
Mr. Fox has practiced law in Houston for 30 years. He is now assisting companies
with FCPA compliance, risk management, and international transactions. He was
most recently the General Counsel at Drilling Controls, Inc., a worldwide oilfield
manufacturing and service company. He was previously Division Counsel with
Halliburton Energy Services, Inc.
Mr. Fox is the founder and editor of the award winning FCPA Compliance and
Ethics Blog ( http://tfoxlaw.wordpr ess.com/). He has published three books on
anti-bribery and anti-corruption issues: Lessons Learned on Compliance and
Ethics, Best Practices Under the FCPA and Bribery Act, and GSK in China: A
Game Changer in Compliance. He is a regular speaker, the author of a wide range
of articles on these issues, and an avid maven on the use of social media for
compliance. He podcasts at The FCPA Compliance and Ethics Report and can be
reached at firstname.lastname@example.org.
Jon Rydberg, CEO of Orchid Advisors and Author
Mr. Rydberg has served as a global Big 4 audit, compliance, and business
consulting executive for approximately 20 years. He was most recently the Chief
Compliance Officer and VP, Internal Audit at Smith & Wesson and was previously
employed by such leaders as Ernst & Young, Protiviti, and United Technologies,
a worldwide Fortune 50 conglomerate. He served public Board members, CEOs
and CFOs on high profile matters pertaining to corporate fraud and SEC financial
reporting scandals, Federal FCPA investigations, Sarbanes-Oxley material
weakness remediation and the optimization of internal audit programs for billion
Mr. Rydberg was responsible for implementing a full-scale compliance and anticorruption/anti-bribery program in the wake of an industry-wide DOJ/SEC-led
FCPA sting. He is also author of The Four Pillars of Firearm Compliance, a text
focused on transforming ATF compliance in the Firearms Industry and has
featured in such media sites as the Wall Street Journal and CNBC.
Mr. Rydberg also served in the role of global Aerospace & Defense industry
practice leader and held additional positions with the Department of Homeland
Security (DHS) Manufacturing Industry Sector Board and as an Executive
Committee Member of the DHS Manufacturing Supply Chain Team, APICS, the
IIA and Mensa. He holds a Secret Clearance and is a Certified Management
Accountant (CMA), Certified Production and Inventory Management (CPIM),
Project Management Professional (PMP), and a Certified Internal Auditor (CIA).
And, he holds three U.S. Patents and is a BSME, MBA and MACC (partial).
Mr. Rydberg is now transforming the Compliance Ecosystem as CEO of Orchid
Advisors, a strategic management consultancy focused on transforming the worlds
of audit and compliance. The firm provides experts in ATF compliance, State
firearms compliance, anti-corruption/bribery, ITAR, import, export, and SarbanesOxley. Its early entry market is the Firearms Industry, where Orchid counts among
its customers the top manufacturers in the world. Orchid clients hire the firm to
reinvent business processes, implement technology and big data solutions to
support that change, and transform their compliance culture. Orchid Advisors
brings the depth and breadth of Big Four consulting with the innovation, thought
leadership, and economies of a boutique analyst firm. More information about the
firm’s four service lines of Compliance Consulting, Compliance Technology,
“P ut simp ly, the prospect of significant prison sentences for individuals
should make clear to every corporate executive, every board member, and
every employee that we seek to hold you personally accountable for FCP A
Lanny Breuer, Assistant Attorney General, Criminal Division, U.S. Department
of Justice, February 2010
In 2010, Mr. Breuer made the full-bodied statement above. Using language that
lacked the slightest hint of normal “government-speak,” he made it very clear that
any individual caught violating the Foreign Corrupt Practices Act (FCPA) would
be held accountable for his or her actions and that the U.S. Department of Justice’s
(DOJ) enforcement of the FCPA would include the full force of the U.S.
One would think that “the prospect of significant prison sentences” would go
a long way toward establish ing an effective deterrent. So why then are U.S.
organizations continually levied billions of dollars in fines for vio lations of the
Foreign Corrupt P ractices Act?
If the mantra “Simply put, don't bribe” holds true, then maintaining compliance
should be easy, right? Not necessarily. The Federal Government has established
what it believes is a reasonable standard for preventing and detecting noncompliant behavior pertinent to any Federal regulation. Organizations that conduct
business in the U.S. or abroad must protect their stakeholders and shareholders by
meeting or exceeding the standards set forth in the Federal Sentencing Guidelines
§ 8b2.1, “[An] Effective Compliance and Ethics Program.”
Federal investigations are long. They are costly. They are painful and impact more
than just your legal department. Imagine losing the ability to ship to key markets
for an extended period of time. Would you like an independent monitor watching
every employee transaction across your enterprise? Our guess is probably not.
Although global anti-corruption /anti-bribery standards are quickly developing and
taking hold around the world, the standards and cultural norms for operating a
global business still vary widely. Until those standards become uniform, and until
human nature ceases to be human nature, compliance with the FCPA and similar
anti-corruption/anti-bribery regulations shouldn’t rest exclusively on training and
a “faith in compliance.”
Additionally, one of our chief reasons for writing this book was to reinforce the
belief that compliance – both in general and as it pertains to the anti6|Page
corruption/anti-compliance – should be viewed, like quality and safety, as an equal
business metric. Although compliance should not be designed to impede efficient
business operations, it should be part of the decision-making process. In fact, bestin-class compliance programs are enablers of planned and measured risk -taking.
Finally, this book is in no way meant to serve as a legal reference, nor as a formal
interpretation of law. For any questions pertaining to the interpretation of global
anti-corruption and anti-bribery standards, the reader should seek out the advice of
a qualified legal professional.
Before you begin, take out a pen and piece of paper. Document your answers
to these questions and we will compare your level of understanding at the end
of our book.
How does your organization limit the risk of non-compliance? Can you
list the controls?
Do you know what the prevailing standard and U.S. Government
expectations are for a compliance program?
Can you point to (or touch) your compliance program? What about your
How do you mitigate the risk of bribery?
How do you mitigate inappropriate disbursements?
When was your last independent anti-corruption /anti-bribery program
Chapter 1: Why Comply with Global Anti-Corruption/Anti-Bribery Laws?
The high volume of fines levied by the U.S. government resulting from
investigations into violations of the Foreign Corrupt Practices Act demonstrates
the extent and maturity of existing U.S. anti-corruption/anti-bribery programs, as
well as the extent of pain felt across the corporate landscape.
When asked, “What element of FCPA compliance do organizations lack
most?” we often respond with “Confusion between the concepts of Compliance
and a Compliance Program.” Some organizations simply don’t know the
Do companies really understand the requirements of a robust anticorruption/anti-compliance compliance program?
Do they understand where the company stands in terms of compliance
with prevailing laws such as the FCPA and U.K. Bribery Act?
Do they understand related laws in other local countries in which they
conduct business transactions?
Do they understand the risks of being non -compliant?
Is the company engaging in risky behavior in its dealings overseas, and if
so, are they aware of it?
Do companies have real-time visibility into their transactions with
We once had a client that asked for an evaluation of their Ethics Program. After a
short review, it was concluded that a Program did not exist. The Vice President of
Human Resources was angered by the conclusion. “How can you say that? We are
run like a family – our employees are trustworthy and we are definitely ethical and
compliant.” We asked again, as a Federal investigator would, “Can you please
provide us with evidence of your Ethics Program ?” The client could point to
nothing other than training and a family-oriented culture.
Obviously anti-corruption /anti-bribery training is important – but the DOJ’s
expectation includes the existence of Program elements as listed in § 8b2.1. That
means something tangible, promoted, audited, measured, and improved.
Granted, it is difficult to control the behavior of every employee, contractor , or
sales agent in a large, international organization; but there must be a higher level
of awareness and institutional priority around building and maintaining an
effective program. This simply is not optional.
More appropriately stated, compliance, like quality, safety, and ethics, must be
embedded into the fabric of the business. These elements all should have the
underlying foundation in the organization’s Mission, Vision, Values, and Code of
Conduct, and end with a continuous and transparent evaluation of itself.
The DOJ and the Securities and Exchange Commission (SEC) assess an average
of 50+ U.S. FCPA violation cases each year. And while that may not seem like a
large number considering how many U.S. firms operate internationally, it’s a huge
caseload for the Federal regulators because of the time and resources necessary to
mount an FCPA investigation.
The consequences of an FCP A vio lation are serious. An individual found in
vio lation of F CP A can be sentenced to five years in prison and fined up to
$250,000 per instance of vio lation; companies can be fined up to $2 million
per instance. An F CP A investigation could invo lve dozens or hundreds of
instances. Even if there is no prison sentence, the fines alone can add up
quickly. But perhaps most impactful is: (1) P ublic announcement of the
in vestigation; (2) Derivative lawsuits; (3) Inability to sell into key markets; (4)
loss of long-term relationships; and (5) The threat of an independent monitor.
Is it really worth it?
While the fines can be very expensive and the threat of prison time is enough make
anyone nervous, the real cost is in the personal and professional years lost while
under investigation. The DOJ and SEC have been known to be slow and
deliberative in their investigative process. Consequently, a company under
investigation can expect to expend incredible amounts of time and resources to
fulfill investigator needs.
Part of what makes these investigations so incredibly detailed and time-consuming
is that the process of interpreting violations can be very subjective. For instance,
the U.S. law speaks to the “intent to bribe.” How does the Government determine
that a company and its employees had the intent to bribe? Investigators end up
pouring over hundreds of thousands—if not millions—of emails, trying to interpret
possible out-of-context words an employee used in conversation years ago. Was
that person joking or serious? Did this conversation represent the intent to bribe?
These are hard questions to answer.
Chapter 2: Two Prevailing Laws – The FCPA and U.K. Bribery Act
There is a growing focus on the part of worldwide governments and businesses
alike on the subject of anti-bribery and anti-corruption. The two most prevalent
legislative efforts toward progressing this goal are the U.S. Foreign Corrupt
Practices Act and the U.K. Bribery Act.
The Foreign Corrupt Practices Act of 1977 was enacted by the U.S. Congress and
signed into law by President Jimmy Carter with the goal of stopping what had
become a pattern of bribery, particularly the bribing of foreign officials by U.S.
companies and individuals. The impetus for creating the FCPA arose out of
extensive investigations in the 1970s by the SEC, which found more than 400 U.S.
companies admitting to illegal (or , at minimum, “questionable”) payments to
foreign officials. These payments were made to induce favorable business
outcomes and amounted to more than $300 million. At the time, the act of bribery
was not technically illegal; however, the act hiding such behavior from a
company’s shareholders was, and brought the scandal to both the SEC’s and
public’s attention. This contributed heavily to an atmosphere of anti-corruption
and lead to the adoption of the Foreign Corrupt Practices Act. Regardless of the
laws – then or now – we all know that bribery and corruption are both irrevocably
unethical and that leaders should seek to exclude them from their organization s.
Understanding the Foreign Corrupt Practices Act
The Foreign Corrupt Practices Act is about bribery, plain and simple. There are
two prominent themes of the FCPA. The first, the anti-bribery provisions , makes
it illegal to bribe any foreign official. The second, the books and records
provision , mandates that companies keep accurate records pertaining to
transactions involving foreign business activity, notwithstanding existing SEC
rules relating to the accuracy of all financial recordkeeping.
Simply stated, the FCPA makes it illegal for a U.S. company or individual to bribe
a foreign official. The definition of foreign official is broad and can include
government officials and their family members, administrators at a governmentowned or managed institution, and quasi-government agencies that are owned both
privately and by local governments. Also falling under the jurisdiction of the FCPA
are employees of international organizations, like the United Nations.
Under the Act, a bribe is the offer of anything of value – cash, merchandise,
property, services, etc. The real focus is on the intent to bribe or influence, not on
the amount or value of the bribe (or even whether or not the bribe ultimately took
place or if any benefit was received). It is also illegal to have any knowledge of a
10 | P a g e
bribe, to supervise a bribe, or to fail to report a bribe. In short, pretty much anything
associated with bribery of a foreign official is illegal under the FCPA. The only
exceptions are in some pretty extreme hostage situations—so extreme that they
really aren’t germane to this book.
Books and Records Provisions
The FCPA also requires companies whose securities are listed in the United States
to make and keep books and records that accurately and fairly reflect the
transactions of the corporation and maintain an adequate system of internal
accounting controls. In essence, if a company is conducting business with foreign
entities, it must be able to substantiate and produce records for any overseas
transactions. These transactions range from travel and entertainment, to free
product, to international offsets, to agent sales commissions, and to everything in
These accounting provisions were designed to operate in tandem with the antibribery provisions of the FCPA and the two are often evaluated together in the
course of a government-led investigation. You might read the above paragraphs
and believe the FCPA is not applicable to you and/or your organization. “We don’t
conduct business with foreign governments and therefore this is not of concern.”
On the contrary. Take the following, for example:
A bribe or any intent to influence a transaction whose end user, buyer, or
decision maker is unrelated to a foreign government may still be subject
to the same level of legal risk.
The government may view your domestic distributors, who sell
internationally, as legal extensions of your organization although they are
technically not. Who m you do business with and the expectations that you
establish with those parties are subject to such concern.
The U.K. Bribery Act
Globally, the standards for anti-bribery have broadened far beyond the FCPA and
should be viewed in the general context of anti-corruption, anti-bribery, or even as
a core tenant in corporate ethics. The U.K. Bribery Act is the most prominent
expansion from the U.S. rules, in which the historical view about “bribery with
foreign officials” is greatly expanded upon to include not only organizations and
governments but individuals and commercial transactions as well.
If one wanted evidence that the world is evolving toward fighting bribery and
corruption, the U.K. Bribery Act would be a great indicator of this trend. In 2010,
the British Parliament enacted the Bribery Act 2010 (widely known as the U.K.
11 | P a g e
Bribery Act). The legislation was initiated on recommendations from the British
Serious Fraud Office (SFO) and, in many ways, is far more comprehensive and
far-reaching than the FCPA. Businesses that base their internal anti-corruption and
anti-bribery compliance programs on the U.K. Bribery Act may in fact be using a
more comprehensive standard.
This is because the U.K. Bribery Act goes much further than the FCPA. Unlike the
FCPA, the U.K. Bribery Act prohibits any type of bribery whatsoever. It doesn’t
matter if it’s bribery of a foreign citizen, a domestic citizen, a foreign government
official or a domestic one. It doesn ’t matter if it’s a corporation or a neighbor ;
bribery of any kind is prohibited.
The Growing Anti-Bribery/Anti-Corruption Push Around The Globe
The world is truly becoming a global marketplace. With multi-million
international business deals affecting the lives and safety of the public, there is an
ever-increasing need for common standards and practices. There is a push to
establish such common standards in many industries – a good example is the
International Financial Reporting Standard (IFRS) , which has been advocated to
establish standardization in financial reporting between U.S. and international
companies. It’s evidence that the world is connecting.
This big-picture and global trend toward interconnectivity is affecting the way
corruption and bribery are perceived and treated in countries all around the world.
Anti-corruption and anti-bribery regulations are emerging in countries globally –
even in countries where it had never really been a prominent concern. In some
cases, this conflicts with the cultural norms of nations that rely on offering
something of value in exchange for a desired outcome. In some places, that is just
the way things are done; it’s the way of business, a cultural heritage. However, a
key goal of this globalization of ethics is for every country in the world to make
the bribery of its own government officials illegal.
If there was ever any doubt as to this singular need, consider the recent
investigations in China over Western companies led by GlaxoSmithKline (GSK).
The Chinese government announced they would no longer tolerate Western
companies engaging in bribery and corruption of their government officials. The
key point from the GSK case is that the Chinese enforced their own domestic antibribery laws.
So now companies can face prosecution under the FCPA, U.K. Bribery Act, or
a country’s domestic law for engaging in bribery and corruption.
12 | P a g e
The business environment is changing and laws surrounding bribery, corruption,
and ethics are growing in complexity, necessitating a comprehensive program to
ensure compliance with the FCPA (at minimum ).
13 | P a g e
Chapter 3: How Do Such Laws Relate to Your Business?
In order to design an effective anti-corruption/anti-bribery program, it is critical
that you understand and define the nature of your business. Consider, for example,
such issues as who are you selling to, how you sell to them, and what is your sales
and distribution model?
As rudimentary as it might seem, the answers can have a significant impact on the
complexity of your final program. Let’s look at these issues now.
Who are you selling to ?
A company that sells directly to commercial third parties or consumers, never
interacting with any government officials in any foreign country, has less FCPA
risk than a company that contracts with or sells to a foreign official, engaged in
third party negotiations or uses offsets as contractual obligations. Sounds basic,
but “Who are you selling to ?” is a key first question to ask yourself.
The question should consider the following non -exhaustive list of buyer types:
Quasi-international government (part private, part government)
U.S. Government-sponsored sales to international governments
U.S. or international government agents for personal use
Government or commercially-run buying groups
Each of these scenarios brings with it its own set of risks and design considerations
for your program. Do you know, for example, how to handle transactions with
quasi-government bodies? What are the rules? And if you don’t know, how do you
think your sales personnel and accounts payable team will know?
How do you sell?
The nature of your sales process can vary widely. Much of that is driven by the
industry in which you operate and the nature of the “offering.” In other words, are
you selling products, services, or both? These offerings can be sold in a number of
ways, but consider the varied risk profile in the following models, ranked from
lowest to highest risk.
Retail Point of Sale (POS) – Potentially lowest risk
14 | P a g e
Commercial purchase order/invoice (with or without a contract)
Fixed price or time and material arrangements
Volume-based pricing with free, good incentives
Pricing with built-in promises of return, such as International Offset
programs or accompanied free goods
Bartering in the sales process
Inclusion of suppliers or other parties in the sales process
Use of warranty centers
License of your product through international manufacturers
Use of other business partners or joint venture partners
Use of third party lobbyists or distant contract “sales consultants” –
Potentially h ighest risk
This list could go on to include a few more, but the point is clear. A retail point of
sales transaction is less likely to include opportunities for bribery. A negotiated
contract with discounted pricing, in which you pay a third party to prepare a
proposal and interact with a foreign government on your behalf, would offer
relatively higher risk.
What is your sales and distribution model?
Do you sell directly to end -users? Or do you sell through wholesalers, distributors,
and retailers? Do you use an internal sales force or third party commissioned sales
agents? Commissioned sales agents will definitely add complexity to the mix and
could be highly scrutinized by regulators.
What commission is “appropriate” depends on many factors, including the culture
of the country in which you are doing business and the nature the industry. The
first question that a regulator might ask is about sales commission and the
determination of how “excessive” it is (or isn’t). Of course, that is a question with
frequently subjective answer. In some industries, the “business norm” for
commissions can be in the “1% to 5%” range, while in others the norm may be in
the “25% to 30% ” range. The respective government might consider the latter to
be “a lot of money,” and consequently will see incentive to consummate a deal.
Consider your commission structure and the appropriateness of amount in the
context of your operating environment. More importantly, determine if the
commission can be tied to some tangible work product or a process/service that
added value to the transaction.
15 | P a g e
If you ’re a manufacturer, you might sell to a distributor at a reduced cost. This
distributor will then likely sell the product with a profitable markup. Depending
on market conditions, it would be common to offer such distributor s additional
discounts, volume purchases, or other kinds of business norms when operating in
a foreign country. “What does the distributor do with that extra money?” a
regulatory might ask. “Is it simply profit? Or is it being used to influence a foreign
official?” Your distribution contracts need to spell out the acceptable uses of any
discounts or promotional funds to avoid any potential FCPA violations.
Suffice it to say that different industries will have different risk profiles. Take the
construction industry for example. With huge infrastructure projects all over the
world, construction firms can have a high er-than -average FCPA risk profile.
Why? First, most of the contracts are administered by or through the foreign
government, quasi-government entities, and government officials. Second, the
method by which the contracts are paid can be complicated —many are based on
adherence to a set schedule, offering monetary incentives for on -time completion.
It can be difficult to truly value the services rendered.
You need to define the industry in which you operate (and its level of risk), the
part of the world in which you are operating (this will define the prevalence of
corruption), to who m you are selling products or services, how many steps there
are in the distribution model, and who are the parties are and how they are
connected to you.
A critical consideration to understanding your business risk is identifying where
on the globe you operate. Transparency International (www.transparency.org/) is
an organization that studies and monitors the relative level of corruption around
the world on a country-by-country basis. The organization generates a Corruption
Performance Index (CPI, www.transparency.org/research/cpi/overview) which
ranks countries on their corruption levels, ranging from Singapore as a low
risk/low corruption environment, to Afghanistan and Iraq which represent high
risk/high corruption environments. It’s critical to measure environmental
considerations—that is to say, the political and economic stability of the
geographic environment in which you’re doing business. Is corruption a part of
their culture? As you can imagine, some foreign governments are corrupt
themselves and might require bribes in order to do business in or with their country.
We know you’ve provided “FCP A Train ing” to your organization, but is your
program designed with internal controls that are individually applicable to
the scenarios noted above?
16 | P a g e
Remember, you ’re responsible for running your business in a way that is compliant
with the anti-corruption and anti-bribery standards. It doesn ’t matter what
everyone else is doing or what is culturally acceptable. The excuses “I didn’t know
it was wrong” or “We trained our people” won’t suffice.
17 | P a g e
Chapter 4: Creating Your Anti-Corruption/Anti-Bribery Program
The underlying principles of every anti-corruption/anti-bribery program should be
the same. That is, the regulations and requirements with which you’re required to
comply remain predominantly the same. The risk profile, extent of controls, and
methods/tools deployed are what vary.
However, implementing a program that meets the necessary standards in a
practical way can be a complicated, multi-year endeavor, requiring continued
adjustment and maintenance. Sure, there’s a basic structure; but there is no readyto-go, “one size fits all” anti-corruption/anti-bribery program.
Establishing A Framework
The Federal Government has clear expectations for what defines an “effective
compliance and ethics program.” As noted earlier, those expectations are clearly
outlined in Chapter 8, Part B 2.1 of the Federal Sentencing Guidelines
(www.ussc.gov/Guidelines/) and include the following as paraphrased:
Leadership and Tone from The Top
A Commitment to Compliance – Beyond the Tone
Measurement: Set at Zero Tolerance; There is No Materiality Standard
for Corruption and Bribery
Standards and Procedures
Education and Training
Efforts to Exclude Prohibited Personnel with Due Diligence
Validation and Oversight
Let’s review each of these in turn.
Leadership and Tone at the Top
Both the U.S. Federal Sentencing Guidelines and the Organization for Economic
Co-operation and Development’s (OECD) Good Practice Guidance on Internal
Controls, Ethics, and Compliance consider a best practice program to start with an
unbreakable “Tone at the Top.”
The FSG reads: “High -level personnel and substantial authority personnel of the
organization shall be knowledgeable about the content and operation of the
compliance and ethics program … and shall promote an organizational culture that
encourages ethical conduct and a commitment to compliance with the law.”
18 | P a g e
The OECD Good Practice Guidance reads: “Strong, explicit and visible support
and commitment from senior management to the company's internal controls,
ethics and compliance programs or measures for preventing and detecting foreign
Everyone understands that a company leader must set the tone that the entity will
not engage in corruption or bribery. However, “tone-at-the-top” encompasses
more than simply saying the right things. It represents a commitment to
compliance, far beyond the “tone.”
A Commitment To Compliance – Beyond the Tone
Compliance can be occasionally seen as a priority that competes with the
achievement of top -and-bottom -line financial goals. One of the most pr ioritized
tasks that corporate leadership can undertake is to ensure that these two elements
do not compete, but rather exist synergistically. Leadership from senior executives
is required to ensure that compliance objectives are achieved despite the possible
distraction from competing objectives.
Typically, demonstrating such a commitment consists of any one or more of the
Hiring of a dedicated Chief Compliance Officer who has a direct,
independent reporting relationship to either the Board of Directors or the
Audit Committee of the Board of Directors;
Creating a cross-functional business and ethics council tasked with
promoting a compliance and ethics program. Ideally, this council should
also provide some independent oversight of higher-risk business
Developing a respectful, collaborative working relationship between the
Board, C-Suite, Internal Audit and Legal/Compliance;
Being part of the selection and training of senior managers to lead anticorruption/anti-bribery work ;
Creating an independent reporting hotline (“whistleblower”) and
providing of methods to promote it through company posters, pamphlets,
Providing leadership on key tools, such as a code of conduct or
independent auditing of one’s own actions;
Endorsing all publications related to the prevention of corruption and/or
Leading the company in awareness and encouraging a transparent dialogue
to ensure the effective dissemination of anti-bribery and anti-corruption
policies and procedures to employees;
19 | P a g e
Remaining engaged and/or involved in oversight of appropriate third party
Demonstrating leadership through relevant external bodies—such as
industry trade groups and the media—to help articulate both the
company’s overall compliance efforts and the industry commitment in the
fight against bribery and corruption;
Remaining involved in high profile and critical decision -making when
Assuring that not only is an appropriate risk assessment conducted , but
that it informs the company’s anti-corruption and anti-bribery compliance
Demonstrating oversight of procedure violation; and,
Providing feedback to the company’s Board of Directors or equivalent,
where appropriate, on levels of compliance.
A commitment to compliance can be articulated with three words: leadership ,
ownership, and accountability. Without all three concepts firmly in place, your
best compliance efforts could fail.
Leadership - Demonstrated by making compliance with rules and regulations an
equal metric, on par with quality, safety, and financial performance.
Business metrics are measurable goals of an organization that establish its
short or long-term direction. Although these metrics may be financially
oriented, it is a best practice to run the business with a “balanced
scorecard.” Furthermore, at least one metric should relate to the long-term,
continuous improvement of compliance, safety, and other areas that form
good corporate stewardship.
Mature organization s may use elements of Enterprise Risk Management
(ERM) as a methodology for linking risk events (e.g., bribery driven by a
foreign sales agent) with operational objectives ( e.g., selling in to a given
Compliance functions should have a voice at periodic meetings with the:
Board of Directors, Audit Committee, and Executive Management team
(i.e., staff meetings). Furthermore, dedicated time should be set on the
agenda to ensure consistent reporting.
Company-wide communications should balance financial, operational,
and compliance matters. As with our prior recommendations, balance is
critical to achieving desired outcomes. Best-in-class companies integrate
company presentations with an overview of critical risk management
areas, such as compliance and safety.
20 | P a g e
Ownership - Individual responsibilities should be established in the company’s
organization chart and throughout its job descriptions; otherwise, it becomes
intangible and cannot be measured or managed. It is important to distinguish
between those who are:
“Responsible” for compliance: Everyone is responsible for being
compliant. For example, the individuals who process sales transactions,
commission payments, shipments of free goods, and shipments of finished
goods have the greatest day-to-day impact on an organization’s
compliance. These “transaction -level” resources have as much, if not
more, “responsibility” for achieving compliance.
“Accountable” for compliance: These are the individuals that provide the
resources and oversight for ensuring effective execution. They are the
tone-setters and should also be held accountable for the compliance results
in their functional areas. They are typically supervisors or members of
“Advisors” of compliance: These are the individuals who interpret rulings
and advise the business on the boundaries of compliance. They are
typically members of a legal or compliance function.
“Monitors” of compliance: These are independent personnel who are
charged with the assessment of the organization’s compliance with
established policies and procedures. They are typically members of an
audit or quality function.
Accountability - Without accountability, your compliance efforts could be
meaningless. Directives of middle and upper-management may get ignored by
those employees who know that, despite their actions, they will not be held
accountable. Accountability is the glue that binds policies, procedures, and
Measurement: Set at Zero Tolerance; There is No Materiality Standard for
Corruption and Bribery
There are several steps that a company can take to establish a zero-tolerance policy
towards corruption and bribery. For instance, there could be a formal, written
statement establishing policies that direct the business towards an atmosphere of
integrity and compliance. In fact, there can be several forms of communication,
which might be tailored to different audiences within the company. Ideally, these
would be generally available on a company’s intranet and internet site. Let’s look
at what a formal statement might include.
Cornerstones of a formal statement might include:
21 | P a g e
A commitment to carry out business fairly, honestly, openly, and with
A commitment to zero-tolerance towards corruption and bribery;
The negative consequences of breaching the policy for both general
employees and managers;
The negative consequences of breaching contractual provisions relating to
anti-corruption and anti-bribery prevention formally sent and/or
communicated to channel partners;
A statement of the benefits of rejecting bribery for both the company and
its employees. This would include the reputation of the company with
customers, the confidence of its business partners, and the incentives for
employees to do business in a compliant manner;
A clear communication that key company individuals and departments are
involved in the development and implementation of the company’s anticorruption and anti-bribery prevention procedures; and ,
Reference to the company’s public-facing involvement in any collective
action against corruption and bribery in its business sector; or,
A reference to the range of anti-corruption/anti-bribery prevention
procedures the company has or is putting in place. This should includ e any
protection and procedures for confidential reporting of bribery such as
anonymous reporting through a helpline or hotline. This inclusion is
arguably the most vital of all previously listed.
Standards and Procedures
Standards (or p olicies) are an organization’s written rules in response to the law
and/or other company expectations. Procedures (or work instructions) provide
employees with the methods to achieve compliance with those policies.
These standards and procedures are critical towards achieving and maintaining
compliance for the following reasons:
Personnel join and leave the organization and knowledge needs to be
Lack of written standards can lead to variability in transaction quality;
Employees only retain a small percentage of the information that they
receive through training sessions. Written reference material is critical to
increasing the likelihood that the activities of employees will remain
22 | P a g e
How does a company decide what its standards and procedures should be? Well,
by asking basic questions about the business, how it works, and where it conducts
business. Here are some examples:
Will the company do business in countries with high corruption ratings, as
defined by the Transparency International Corruption Perception Index?
Will the company use an internal sales force? Or will that function be
If the company will use an external or outsourced sales force, will they
Does the company offer a standard set of discounts? Or will it vary them
Does the company offer free promotional product?
What type of individual is allowed to work for the organization and in
What standards have been set for contractors or third party agents?
Other areas where standards need to be set include email and communications,
travel and entertainment, gifts, and ethical behavior for the organization. Many of
these are items are inherent to a well-written Code of Conduct and Corporate
While there are several methods for making standards and procedures available to
employees, the follow ing key factors should be considered:
There should be a formal process for developing, releasing, changing, and
deleting policies and procedures documentation. The process should be
standardized, repeatable, and, ideally, managed by an independent
resource in the organization.
All draft documentation should be reviewed by critical stakeholders of the
organization. As an example, legal, compliance, and operations
management should review and jointly agree upon final drafts that are then
approved by higher levels of management (VPs and C-suite executives),
depending on the size and structure of the organization.
There should be a formal process for communicating new or revised policy
and procedure documentation.
There should be a formal process for controlling and distributing the
policies and procedures documentation , including, but not limited to :
hardcopy distribution that is maintained in a central, controlled department
binder; revision -controlled handbooks that can be distributed at the
employee desk level; and online and web-based repositories.
23 | P a g e
Recommended standards and procedures might, amongst others, include the
A Code of Conduct and Ethics
An Anti-Corruption /Anti- Bribery Program
A List Of Prohibited Activities (Bribery; Corruption; Facilitation
Payments; Inappropriate Political Contributions)
Conflicts of Interest
Gift and Gratuities
Travel and Entertainment
Free Goods and Promotional Activities
Delegation of Authority and Approval Matrix
Third Party and Employee Due Diligence Procedures
Contract, Pricing, and Commission Standards
Accounts Payable, Accounts Receivable, and Disbursements
An Internal Audit Charter and Annual Internal Audit Plan
An Audit and Investigations Policy
A Corrective Actions Process
Education and Training
Education and training can come in many different forms. While everyone in the
organization should be trained on core ethics and compliance principles, some may
require deeper levels of teaching. For example, those employees involved in
international sales and marketing, legal, compliance, and the accounting
departments have a greater responsibility due to their roles as international
transaction “control owners.” Having a deeper level of knowledge becomes a great
aid in stopping FCPA issues before they happen.
An organization’s investment in education and training does not need to be
significant in order to be effective. In fact, small investments in this area often have
the greatest bang for the compliance buck. While solid business processes and
system controls can limit the risk of undesired outcomes, it is the mass of
employees who process transactions that have the single greatest impact on
achieving compliance. Judgment often becomes a key element in doing the right
How proper training is achieved is dependent upon an organization’s size,
technological infrastructure, and existing culture. But, regardless of those factors,
there is no more effective method than a program of in-person training that
provides employees with the ability to ask questions and receive direct answers.
24 | P a g e
We recommend a balanced approach to training that may include some of the
following methods of delivery:
Annual, in-person training focused on tone setting, the basic premises of
the law, and areas of high risk.
Short interval, quarterly online training used to reinforce a central
On-demand training materials that can be made available through online
university systems, such as Corpedia, LRN, WeComply, SkillSoft,
Cogentys, SABA, Click4Compliance, and SuccessFactors, amongst
others. The advantages of such materials are numerous, including longterm development of employees and the potential integration of training
efforts with your suppliers and sales channel partners.
Laminated reference materials co -located with transaction processing.
Localized, public posting of key rules. This can be accomplished via
laminated posters or desk trinkets.
Efforts to Exclude Prohibited Personnel with Due Diligence
While most compliance practitioners are certainly aware of the need to perform
due diligence, they may not understand its continued role in third party
relationships. From this perspective, they can be divided into past, present, and
Past - Obviously, your company wants to know with who m they are doing
business, and whether the person or entity is a channel partner, joint venture
partner, or exists under some other business relationship. This is also true for
acquisitions. But due diligence is more important than providing a “check -the-box”
activity pertaining to the past activities of a third party; it is an important tool in
the overall international efforts to fight corruption and bribery. It supports your
company’s Code of Conduct, protects your reputation , and allows the early
discovery of deal-breakers before it’s too late. Due diligence will also help provide
a legal defense to anti-corruption /anti-bribery laws, like the Foreign Corrupt
Practices Act or U.K. Bribery Act. In addition to background and reputation, you
need to know third party qualifications before engaging in business.
Present – So what are some types of information that you should obtain in due
diligence? The following is a good place to start.
Identification: It is important to obtain basic identification information on
a third party. This includes names, addresses, phone numbers, basic
license information, the identities of officers, directors, shareholders, and
those who will handle your business and/or be your point of contact. You
25 | P a g e
need to obtain corporate regulatory and partnership filings, a list of
countries where the third party does business, and find out if there have
been any name changes in the past five years.
Financial: Your financial review should be based on three years of audited
financial records (if any).
Capabilities: Your review should include a review of the party’s facilities,
support services, amount of work outsourced, number of employees, and
number of years in business. You should also ask for a list of its top 10
Government Exposure: You need to determine if the third party does
business with any foreign governments or government officials and if
there are any government officials otherwise involved with the third party.
This extends to relatives and close friends of government officials.
Enforcement Actions: Here, you need to determine if the party or any of
its officials have ever been charged with criminal conduct or been party to
criminal proceedings. You also need to make the same inquiries for civil
proceedings and/or regulatory actions. It is advisable to review news
media stories on the party.
Internal Control Environment: You should review the party’s compliance
program, including their Code of Conduct. You should also test their
employees’ familiarity with the FCPA and/or Bribery Act. See if the
company has a written policy regarding gifts, travel and entertainment, and
if the employees are trained on pertinent elements of compliance.
Future - The future involves proactive diligence, enabling you to identify red flags
in the diligence process before you engage in business with an unwanted party.
Diligence, along-side strong contracting and third party training, will become an
indispensable tool in your overall enterprise risk management efforts. It is
considered a best practice to share your Code of Conduct with third parties and
draw attention to internal reporting hotlines for questions and concerns. Key
Clearly communicating that bribery and corruption are not tolerated ;
Us ing your due diligence to review and improve existing contracts; and,
Suggesting that the third party adopt a compliance program similar to
yours. Alternatively, you may provide training on specific issues.
It is important to note that the “future tense” also speaks to the n eed for ongoing
due diligence monitoring, a critical element and best practice for every program.
This is simply because things change. A key partner could be formally charged
with a crime two days after closing a contract and only weeks after having
performed your “static diligence.” The absence of ongoing monitoring will result
26 | P a g e
in little insight into this information. The “future” should really be an indication of
perpetuity as well as providence.
Practically speaking, diligence can be performed many ways. In our careers, we
have made use of materials and services provided by:
Google (and other basic internet search tools)
World Compliance (www.worldcompliance.com )
World-Check (www.world -check.com )
Dow Jones Factiva (www.dowjones.com/factiva/)
U.S. OFAC databases (https://ofac.data-list-search.com/Search/Simple)
It is important to note that best-in-class vetting systems fully integrate into modernday ERP systems. Prior to the execution of any transaction, the system performs a
real-time background check on selected parties for diligence issues with respect to
FCPA, U.K. Bribery Act, ITAR, and much more.
Validation and Oversight
In the compliance world, process validation comes through oversight. More than
one of the compliance program standards in the FSG call for companies to monitor,
audit, and respond quickly to allegations of misconduct. These highlighted
activities are key components for which enforcement officials will look when
determining whether companies maintain adequate oversight of their compliance
Many companies fall short when it comes to effective monitoring. Oftentimes, this
can be attributed to a general confusion regarding the differences between
monitoring and auditing.
Monitoring is management’s commitment to reviewing and detecting
transaction errors in real-time and then reacting quickly to remediate them.
A primary goal of monitoring is to identify and address gaps in your
program on a regular and consistent basis.
Auditing is an independent , targeted, and in-depth review of specific
business processes, systems, or transactions. You should not assume that
because your company conducts independent audits that it is effectively
monitoring. In fact, per the Institute of Internal Auditors (or the IIA) , it is
Internal Audit’s responsibility to evaluate the effectiveness of
management’s own risk management functions (i.e., monitoring). That
audit function should report independently to the Audit Committee of the
Board of Directors with a direct line to the CEO or CFO.
27 | P a g e
A robust compliance program should include separate functions for auditing and
monitoring. While unique in protocol, the two functions are related and can operate
effectively in tandem. Monitoring activities can occasionally lead to audits. For
instance, if management identified a trend of suspicious payments in recent
monitoring reports from Indonesia, it may be time to call Internal Audit, under
legal privilege, to perform an evaluation of transaction compliance.
Far too often, management looks to the Le gal, Internal Audit, or Compliance
Department (if standalone from Legal) when something has gone wrong and
says , “How could you let that happen? I thought you designed our program
to keep us compliant !”
What management is really ind icating is that they alone failed to monitor for
process and transaction-level errors and use that information to improve their
own environment. Conceptually, widgets produced and units sold are of equal
importance to the business as actively managing its own people, processes, and
systems – the key word being “manage,” which is sometimes taken for
Your management team should establish a monitoring system to identify issues
and address them. Effective monitoring means applying a consistent set of
protocols, checks, and controls tailored to your company’s risks to detect and
remediate compliance problems on an ongoing basis. Your compliance team can
help, for example, by routinely checking with local finance departments in your
foreign offices to see if they’ve noticed recent accounting irregularities. Regional
directors should be required to keep tabs on potentially improper activity in the
countries they manage. Additionally, a Business Ethics and Compliance
Committee should meet or communicate as often as every month to discuss issues
as they arise. These ongoing efforts demonstrate your company is serious about
integrating compliance and ethics into your business.
The concept of management executing, controlling, and monitoring is also inherent
in tangential laws such as Sarbanes-Oxley (SOX). Responsibilities of the
certifying officers under SOX are not too dissimilar from the FSG standards. Both
require a defined program of internal controls that have established owners and are
independently tested for proper design and performance. In fact, many of the
internal controls subject to a SOX evaluation would be included in an FCPA
program evaluation. For example, think of the “key control” that resides within the
Accounts Payable department to evaluate the appropriateness of disbursements in
accordance with an established approval authority matrix. While the two laws have
separate objectives, the definition of the control and the nature of the test may be
very similar. This is one of the reasons why the SEC plays a key role in FCPA
investigations – it is to evaluate the internal controls over financial reporting and
28 | P a g e
ability to prevent or detect fraud. The modern concept of “GRC” (Governance,
Risk, and Compliance) would suggest that all such controls be maintained in a
central database and tested as one rather than duplicating efforts.
How you audit or monitor can vary considerably. “Old -school” methods of
checklist-based auditing have some level of effectiveness, but cannot touch the
power of modern, real-time dashboards. In our experience, we’ve designed data
scripts that reside over the top of ERP systems and highlight significant red flags.
They provide early warning systems over volumes of data that would simply be
impractical for a human auditor to detect. Real-time dashboards might include:
High discount levels in a particular country;
Excessive entertainment receipts for a given employee;
Significant margins on lower margin products; or,
Higher commission rates or volumes, amongst others.
Finally, as was re-emphasized with 2012’s Pfizer Deferred Prosecution
Agreement (DPA), your company should establish protocols for internal
investigations and disciplinary action. Pfizer ’s “Enhanced Compliance
Obligations” included the following on investigative protocols:
On-site visits by an FCPA review team, comprised of qualified personnel
from the Compliance, Audit, and Legal functions who have received
FCPA and anti-corruption training;
A review of a representative sample, appropriately adjusted for the risks
of the market, of contracts with, and payments to, individual foreign
government officials or health care providers, as well as other high-risk
transactions in the market;
The creation of action plans resulting from issues identified during the
proactive reviews. These action plans will be shared with appropriate
senior management and should contain mandatory remedial steps designed
to enhance anti-corruption compliance, repair process weaknesses, and
deter violations; and,
A review of the books and records of a sample of distributors which, in the
view of the FCPA proactive review team, may present corruption risk.
Prior to such an investigation, however, the company should have procedures –
including document preservation protocols, data privacy policies, and
communication systems designed to manage and deliver information efficiently –
in place to make sure every investigation is thorough and authentic.
29 | P a g e
Chapter 5: Marketing Your Anti-Corruption/Anti-Bribery Program
A Compliance Department holds some degree of responsibility for marketing the
company’s programs, both internally and externally (i.e., to in-house employees
and applicable, out-of-house third party agents). This “compliance marketing
function” educates both employees and third party agents on company and legal
standards, processes for reacting to red flags, and methods for reporting violations.
Successful “compliance marketing” consists of three key components:
1. Identify: Let your employees and third parties know what you stand for;
2. Incentives: Celebrate employee efforts; and,
3. Tools: Give your employees the tools to participate.
Each of these concepts can play a key role in marketing your compliance program.
Let’s review them in more detail.
Identify - Let Your Employees and Third Parties Know What You Stand For
In the recently published FCPA Guidance, the DOJ and SEC suggest that the basis
of every anti-corruption/anti-bribery program is the Code of Conduct, as it is “often
the foundation upon which an effective compliance program is built. As DOJ has
repeatedly noted in its charging documents, the most effective codes are clear,
concise, and accessible to all employees and to those conducting business on the
Two primary goals of any Code are:
1. To document and clarify minimum expectations of acceptable behavior;
2. To encourage individuals to speak up when they have questions or witness
Incentives - Celebrate Their Efforts
Once again, the recent FCPA Guidance speaks to employee’s incentives as of equal
importance to disciplinary action s. Does your organization reward for ethical
The Guidance states, “DOJ and SEC recognize that positive incentives can also
drive compliant behavior. These incentives can take many Guiding Principles of
Enforcement forms such as personnel evaluations and promotions, rewards for
improving and developing a company’s compliance program, and rewards for
ethics and compliance leadership. Some organizations have made adherence to
compliance a significant metric for management’s bonuses, much like quality and
30 | P a g e
safety, so that compliance becomes an integral part of management’s everyday
concern.” It is important to “… make integrity, ethics and compliance part of the
promotion, compensation and evaluation processes as well.”
This concept means going beyond incentivizing. To us, the word “celebration”
implies a kind of public display of success. Financial rewards may be given in
private, such as a portion of an employee’s discretionary bonus credited to doing
business ethically and in compliance with the FCPA. Employees who are promoted
for doing business ethically are very visible and can act as effective public displays
of an operative compliance program. However, we think that a company can take
this concept even further through a celebration to help create, foster, and
acknowledge the culture of compliance for its day-to-day operations.
Bobby Butler, Chief Compliance Officer (CCO) at Universal Weather and
Aviation, Inc., has spoken about how his company celebrated compliance through
an event labeled “Compliance Week.” He said that he and his team attended this
event and used it as a springboard to internally publicize their compliance program.
Their efforts included three separate elements:
1. They hosted inter-company events to highlight and celebrate the
company’s compliance program;
2. They provided employees with a brochure that highlighted the company’s
compliance philosophy; and ,
3. They circulated a booklet which provided information on the company’s
compliance hotline and Compliance Department personnel.
Tools - Give Them Tools to Participate
Obviously, a key component of any effective compliance program is an internal
The FCPA Guidance states: “An effective compliance program should include a
mechanism for an organization’s employees and others to report suspected or
actual misconduct or violations of the company’s policies on a confidential basis
and without fear of retaliation.”
The FCPA Guidance goes on to discuss the use of an ombudsman, or a watchdog
of sorts, to address employee concerns about compliance and ethics. We do not
think that many companies have fully explored the use of an ombudsman , but it is
certainly one way to help employees with their compliance concerns.
Interestingly, an interview in the Wall Street Journal, with Sean McKessy, Chief
of the SEC’s Office of the Whistleblower, McKessy stated that, “What I hear is
that companies are generally investing more in internal compliance as a result of
31 | P a g e
our whistleblower program so that if they have an employee who sees something,
they’ll feel incentivized to report it internally and not necessarily come to us.”
Identity, Incentives, and Information are three useful tools that companies can use
to effectively market their anti-bribery and anti-corruption program efforts.
32 | P a g e
Chapter 6: High Risk Areas to Watch
You have arrived! You have created your compliance program in accordance with
FSG § 8b2.1, so you’re good to go, right? Now all you need to do is sit back and
conduct your overseas business with confidence… right? Well, not quite. First,
let’s first discuss some high -risk areas that deserve additional attention.
As with all other aspects of your business, you are dealing with human beings.
When dealing with human nature, the one thing you know for sure is that the
potential for disaster always exists. People make mistakes. This chapter provides
a partial list of those higher risk areas to actively manage.
Travel, Entertainment & Gifts
Let’s assume that your company does not want to fund a multi-year, multi-million
dollar bribery scheme violating both its own Code and the FCPA. That’s
reasonable, right? In this case, how do you best protect your firm when issuing
funds for commissions, traveling, entertainment, and gifts? Can you demonstrate
an internal control structure that provides real-time visibility into red flags in the
expense process? Or, are you counting so lely on the detective skills of your
Accounts Payable department? Let’s take a look by examining some fundamental
legislation, statements, and ideas.
A. FCPA Guidance
The DOJ/SEC FCPA Guidance clearly specifies that the FCPA does not ban gifts
and entertainment. Indeed the FCPA Guidance specifies the following:
“A small gift or token of esteem or gratitude is often an appropriate way for
business people to display respect for each other. Some hallmarks of
appropriate gift-giving are when the gift is given openly and transparently,
properly recorded in the giver’s books and records, provided only to reflect
esteem or gratitude, and permitted under local law. Items of nominal value,
such as cab fare, reasonable meals and entertainment expenses, or company
promotional items, are unlikely to improperly influence an official, and, as a
result, are not, without more, items that have resulted in enforcement action
by DOJ or SEC.”
B. Opinion Releases
Prior to the FCPA Guidance, in 2007, the DOJ issued two FCPA Opinion Releases
which offered guidance to companies considering whether, and if so how, to incur
travel and lodging expenses for government officials. Both Opinion Releases laid
out the specific representations made to the DOJ, which led to the Department
33 | P a g e
approving the travel to the U.S. by the foreign governmental officials. These facts
provided strong guidance to any company which seeks to bring governmental
officials to the U.S. for a legitimate business purpose. In Opinion Release 07-01, a
company desired to cover the domestic expenses for a trip to the U.S. for a sixperson delegation of an Asian government for an educational and promotional tour
of a U.S. facility. In the Release, the representations made to the DOJ were as
A legal opinion from an established U.S. law firm, with offices in the
foreign country, stating that the payment of expenses by the U.S. company
for the travel of the foreign governmental representatives did not violate
the laws of the country involved;
The U.S. Company did not select the foreign governmental officials who
would come to the U.S. for the training program;
The delegates who came to the U.S. did not have direct authority over the
decisions relating to the U.S. company’s products or services;
The U.S. Company would not pay the expenses of anyone other than the
The officials would not receive any entertainment, other than room and
board , from the U.S. Company; and,
All expenses incurred by the U.S. company would be accurately reflected
in said company’s books and records.
The response from the DOJ states: “Based upon all of the facts and circumstances,
as represented by the requestor, the Department does not presently intend to take
any enforcement action with respect to the proposal described in this request. This
is because, based on the requestor's representations, consistent with the FCPA's
promotional expenses affirmative defense, the expenses contemplated are
reasonable under the circumstances and directly relate to "the promotion,
demonstration, or explanation of [the requestor's] products or services."
In Opinion Release 07-02, a company desired to pay the expenses for a trip within
the U.S. for six junior -to-mid-level foreign officials for educational purposes at
their U.S. headquarters. This educational trip was to be conducted prior to, but in
tandem with, the foreign official’s attendance at a six-week internship on foreign
insurance, sponsored by the National Association of Insurance Commissioners
(NAIC). In the Release, the following representations were made to the DOJ:
The U.S. company would not pay the travel expenses or fees for
participation in the NAIC program;
The U.S. company had no “non-routine” business in front of the foreign
34 | P a g e
The routine business it did have with the foreign governmental agency was
guided by administrative rules with identified standards;
The U.S. company would not select the delegates for the training program ;
The U.S. company would only host the delegates and not their families;
The U.S. company would pay all costs incurred directly to the U.S. service
providers and only a modest daily minimum to the foreign governmental
officials based upon a properly presented receipt;
Any souvenirs presented would be of modest value, with the U.S.
There would be one four-hour sightseeing trip in the city where the U.S.
company was located; and,
The total expenses of the trip were reasonable for such a trip and the
training which would be provided at the home offices of the U.S. company.
As with Opinion Release 07-01, the DOJ ended this Opinion Release by stating,
“Based upon all of the facts and circumstances, as represented by the Requestor,
the Department does not presently intend to take any enforcement action with
respect to the planned educational program and proposed payments described in
this request. This is because, based on the Requestor's representations, consistent
with the FCPA's promotional expenses affirmative defense, the expenses
contemplated are reasonable under the circumstances and directly relate to "the
promotion, demonstration, or explanation of [the Requestor's] products or
services." 15 U.S.C. § 78dd-2(c)(2)(A).”
C. Travel and Lodging for Governmental Officials
What can one glean from these 2007 Opinion Releases? Well, it would seem that
a U.S. company can bring foreign officials into the U.S. for legitimate business
purposes. The Releases also indicate that the following tenants of a Compliance
Program should be present:
Policies and procedures should be established for the company’s travel and
Any reimbursement for airfare should be for economy class;
The particular officials who will travel cannot be selected (that decision
should be made solely by the foreign government);
Only the designated officials may be hosted, not their spouses or family
members (unless the latter are paid for by the foreign government or the
35 | P a g e
All costs must be paid for directly to the service providers – in the event
that an expense requires reimbursement, you may do so, up to a modest
daily minimum (e.g., $35), upon presentation of a written receipt;
Any souvenirs you provide to the visiting officials should reflect the
business and/or its logo and should be of nominal value (e.g., shirts or tote
Apart from the expenses identified above, the foreign government and/or
officials must not be compensated for their visit. You may not fund,
organize, or host any other entertainment, side trips, or leisure activities
for the officials, or provide the officials with any stipend or spending
The training costs and expenses will be only those necessary and
reasonable to educate the visiting officials about the operation of your
Incorporation of these concepts into a Compliance Program is a good first step
towards preventing any FCPA violations from arising; however, it must be
emphasized that they are only a first step. These guidelines must be coupled with
the active training of all personnel. This training must span not only your
compliance policy, but also on the corporate and individual consequences that may
arise if the FCPA is violated with respect to gifts and entertainment. Lastly, it is
imperative that all such gifts and entertainment are properly recorded, as required
by the books and records component of the FCPA.
The FCPA Guidance provides examples of improper travel and entertainment;
some examples include:
A $12,000 birthday trip for a government decision-maker from Mexico ,
including visits to wineries and dinners;
A $10,000 budget spent on dinners, drinks, and entertainment for a
A trip to Italy for eight Iraqi government officials, consisting primarily of
sightseeing and includ ing $1,000 in “pocket money” for each official; and,
A trip to Paris for a government official and his wife, consisting primarily
of touring activities via a chauffeur-driven vehicle.
Gifts, travel, and entertainment continue to bedevil companies in FCPA
compliance. However, in many ways, they are the most straight-forward and
process driven components of any compliance regime. If you can put the
appropriate standards in place and monitor them in real-time with visual
dashboards (via your ERP system), your risk of non-compliance in this area will
be substantially reduced.
36 | P a g e
As noted in Chapter 3, a common method of product movement includes the use
of distributors. Distributors are common to commercial and consumer products.
Distributors differ from other types of sales “representatives” as they take title to
products and assume risk of loss. If there was ever a question that distributors were
covered under the FCPA, the DOJ has made it clear that this class of entities could
be treated the same as any other sales agent (e.g., representatives), reseller, or any
other entity which sells a U.S. company’s products outside the United States.
While the terms “agent,” “reseller ,” and “distributor” have distinct definitions in
the legal world, they no longer have such distinctness for F CPA purposes. The
question is, “How do you fit distributors into your compliance program while still
giving the business distinctions unique to their relationship with your company?”
Let’s start with a risk assessment. What do you know about the entity? How long
have you done business with them? What is the nature of their financial backing,
market, and customer base? Do they work with third parties? Are they representing
you to pull sales through the channel and eventually to international sources?
The goal should be to determine which distributors are the most likely to qualify
as agents, for whom the company would likely be held responsible. This represents
a continuum of risk. On the low-risk end , you have domestic distributors that are
essentially domestic resellers with little actual affiliation with the supplier
company. On the high -risk-end, you have domestic or international distributors
who are very closely tied to the supplier company. These distributors effectively
represent the company in the market and end up looking more like a subsidiary
than a customer. They may or may not sell to both domestic and international
Some of risk factors to consider include:
The volume of sales made to the distributor and the nature of markets
served (e.g., domestic vs. international);
Whether an agreement exists that explicitly prohibits the distributor from
markets to whom the company would not otherwise sell (creating an
opportunity to circumvent establish ed company policy);
The percentage of the distributor’s total business sales that the principal’s
Whether the distributor represents the principal in the market, including
whether it can (and does) use the company trademarks and logos in its
Whether the principal company is involved in the running of the
distributor’s business through activities like training the distributor’s sales
37 | P a g e
agents, imposing performance goals and objectives, or providing
reimbursement for sales activity.
Once a company identifies its high -risk distributors, FCPA compliance procedures
can be tailored and shared appropriately. For those distributors that qualify as
“agents” and also pose FCPA risk, full FCPA due diligence, certifications, training,
and contract language are imperative. For those that do not, more limited
compliance measures that reflect the risk -adjusted liability are perfectly
Management of the Distributor Relationship
Once you evaluate your distributor and ink a contract, your real work begins. You
have to manage that relationship going forward . As do all things in business, price,
cost, discounts/commissions, and margins need to be determined. A legal contract
may or may not set these parameters. Regardless, organizations should consider
the formal means by which they determine how pricing and discounts are offered
to a distributor. For this, business organizations might consider the use of a formal
Discount Authorization Request (DAR) form.
To do this, a DAR template should be prepared, which is designed to capture the
particulars of a given request and allow for an informed, independent, and
objective decision about whether it should be granted. Because the specifics of a
particular DAR are critical to evaluating its legitimacy, it is expected that the
employee submitting the DAR will provide details about how the request
originated as well as an explanation justifying the elevated discount. In addition,
the DAR template should be designed to identify gaps in compliance that may
otherwise go undetected.
The next step is the creation of channels to evaluate DARs. The precise structure
of that system will depend upon several facto rs. I deally, the goal should be to allow
for tiered levels of approval. Three levels of approval are sufficient, but these can
be expanded or contracted as necessary. A general rule of thumb to observe is that
the greater the potential discount, the more scrutiny the DAR should receive. The
goal is to ensure that all DARs are vetted in an appropriately thorough fashion
without negatively impacting the company’s ability to function efficiently.
The last step is collecting and organizing your evidence of d ecision-making.
Remember, to document, document, document. Once the information -gathering,
review, and approval processes are formulated, there should be a system set in
place to track, record, and evaluate information relating to DARs. This includes
DARs both approved and denied. The documentation of the total number of DARs
allows companies to more accurately determine where and why discounts are
38 | P a g e
increasing, whether the standard discount range should be raised or lowered, and
provides companies the ability to gauge the level of commitment to FCPA
compliance within business operations. This information, in turn, leaves
companies better equipped to respond to government inquiries down the road.
This approach has merit because it follows what is set out in the 2013 DOJ/SEC
FCPA Guidance, which we will quote from the introductory section of the “Ten
Hallmarks of an Effective Compliance Program ”:
“Compliance programs that employ a ‘check-the-box’ approach may be
inefficient and, more importantly, ineffective. Because each compliance
program should be tailored to an organization’s specific needs, risks, and
challenges, the information provided below should not be considered a
substitute for a company’s own assessment of the corporate compliance
program most appropriate for that particular business organization. In the
end, if designed carefully, imp lemented earnestly, and enforced fairly, a
company’s compliance program—no matter how large or small the
organization—will a llow the company generally to prevent vio lations, detect
those that do occur, and remediate them promptly and appropriately.”
Email, Email, and Hopefully Less…..Email
From the standpoint of your company’s litigation exposure, not much can be more
dangerous than its own email history. Why is that so? Well, email is not like
contracts, you might say.
First, email is forever. You can’t shred email. Even deleting email really just rids
a local computer of it; email is backed up and stored on multiple, redundant servers
and is nearly always 100% recoverable for an investigation. One of the first things
that the regulators will look at is email, as they’ll want to understand the
discussions that were had, what was committed to and so forth . Whether we’re
talking about FCPA or any other source of potential legal risk, email has become
a very dangerous mechanism in the corporate world.
Second, emails are primarily formatted in a casual manner. It’s more like a phone
conversation in content—quick snapshots of arrangements to be followed up by a
contract or sales order. In many ways, it’s the assumed casual nature of email
exchanges that can make them extremely dangerous in their relation to the FCPA.
As we discussed earlier, the FCPA concerns itself not only with the act of bribery,
but also the intent to commit bribery. For example, if a member of your sales team
were to write an email to a foreign official regarding a competitive request for a
bid and say, “I’ll make it worth your while if you put us at the top of the heap ,”
this is incriminating. Even if the deal was never done, it’s still as bad as if there
39 | P a g e
had been an actual bribe. The intent to bribe is permanently documented in that
Now, think about the thousands, perhaps hundreds of thousands of emails that are
sent every day to and from your company. Now imagine the casual language and
slang that are undoubtedly used to some degree in their contents. Think about the
marketing-oriented language of discounts, sales, and free goods. The words that
we use in email are generally not “contract language,” and they can become very
dangerous when taken out of context. So what’s the take away here? There are
several that relate directly to email:
Invest the time to have solid controls around the proper and professional
use of email in your organization;
Educate your workforce about this proper use and reinforce it with
ongoing training; and,
Determine (on advice of counsel and other knowledgeable parties) what
an appropriate retention program is and only keep emails archived for the
shortest time allowable.
The bottom line is that email can be one of the most dangerous pitfalls you and/or
your company face from a legal perspective. Pay close attention to how you use it
and control its use in your organization.
Bart ering is a type of pitfall that isn’t necessarily akin to bribery, but could
definitely bring your company down the proverbial “slippery slope.” Let’s say that
you’re in a oil and gas business and you need something done in a market—a onetime event that might lead to an ongoing arrangement or contract. The third -party
agent you’re working with wants to be paid in product, not cash. Good deal, right?
He will get greater value in product than he would in cash, and you’ll save money!
Well, wait a minute. Red flags should be flying high right now. How do you
substantiate such a transaction? There is no formal contract that spells out the terms
of the deal or establishes the value of the products or services. The potential for
trouble abounds in circumstances of bartering.
Free or Promotional Product
If you’ve ever been to an industry convention, you’ve probably seen plenty of free,
promotional material given out. But wait, couldn’t this be seen as a bribe? Well,
let’s take a few steps back first.
40 | P a g e
There are several types of free or promotional products that need to be considered.
First, are the promotional “trinkets” that are given out by sales forces
everywhere—free hats, pens, coffee mugs…things of that nature. Most of the time,
gifts given in this manner are too insubstantial to really exert much influence an
individual. But, as with most things, this depends on the nature, extent, and context
of the “promotional” gift. Handing out hats with your company logo isn’t a big
deal. But if you were to fully outfit an entire foreign police department with
product from your consumer clothing business, well that’s a different story. Free
and promotional products, when used properly, are a tried -and-true means of
marketing your business and product. Unfortunately, it’s also a very slippery slope
with blurred lines. We suggest you always err on the side of caution when
disseminating free gifts, even when for entirely benign, legal purposes.
The next type of free product is the “evaluation sample.” This is when you
disseminate trial versions of your product as a means of demonstrating its merit.
For instance, let’s say you have submitted a competitive proposal on a bid with
multiple companies competing. You decide that because you believe the
experience of your product is superior, you want to send a sample of the product
to the potential client. In order for it to not be considered an “intent to influence”
violation, it must be clear that the product is a review sample and it must be
returned to the company. You are then responsible for following up and making
sure that the trialed product is returned.
The third type of free product is the “buy ten and get five free” type of promotion.
In reality, it’s not much different than just lowering the unit price and that cash
difference could, in some cases, be considered a bribe. Again, in situations like
this, nature, extent, and context are everything. Companies run promotional
campaigns like this all the time to boost sales and increase brand -awareness. Why?
Well, because it works! However, if you’re offering a “buy one get twenty free”
campaign exclusively to a particular, high -interest individual, don’t expect that
excuse to fly.
Discounts and Sales Commissions
Sales commissions can be a very risky area, especially when you are dealing with
contract or third-party agents in foreign markets. Let’s say you have a third -party
sales agent operating for you in Russia. Your goal is to ultimately sell your product
or service to the Russian government. Given the culture of Russia, your third -party
requests a little something to “sweeten the deal.” If you wanted to commit bribery
(and conceal it) to effectively lock in that particular sale, you might artificially
inflate the sales commission to that third-party sales agent. In this manner, the
marginal increase in sales commission would act as an effective bribe. This might
also happen without your knowledge, as it very well may be the way business is
41 | P a g e
done in that particular culture. What might be acceptable as commission in one
country might not be in another. The important thing is to set a commission
structure, document it, and stick to it.
Discounts can be another very risky area that requires careful documentation and
a consistent policy. For example, if you are selling directly to a government entity
and give that entity an inordinate discount, it operates in the same manner as a
bribe. It’s no different than giving that customer cash.
Split transactions can be a real can of worms. The legality of split transactions is
fundamentally quite complicated. Let’s look at an example. Let’s say you have a
sales agent in Canada. He executes a sales contract for you and instructs you to
send 50% of the commission to him and the other 50% to his brother in a different
location. If you don ’t know what role his brother played in the transaction (or if he
played any role at all) , then you‘re going to have a harder time convincing a
government investigator of the transaction’s legitimacy. From an investigator’s
perspective, those commission dollars look suspiciously like a bribe. Ultimately,
you can legally use split transactions. However, you have to be able to substantiate
and verify the reason behind it. When engaging in split transactions, understand
that the burden of proof irrevocably rests upon your shoulders in the event of an
The same caution that applies to split transactions can apply to tax evasion. It’s
possible that an overseas third-party sales agent would want to have all or part of
their commission sent to another location in order to circumvent their own
country’s tax laws. This isn’t necessarily bribery, but it will certainly raise the
eyebrows of an investigator. It also serves as another example of the necessity of
a constant awareness and supervision of those who are working for you overseas.
Third Parties Making Decisions for You
In an effort to wrap up the pitfalls section, we’re going to step back real quick and
finish the section with some broader, more encompassing concepts.
The most important takeaway from all of this is that, as a leader of your
organization, you should be cautious when allowing third parties—whether they
be your sales agents or government officials—make decisions for you in a foreign
market. For the most part, those sales agents and/or foreign officials will not be
held accountable for whatever actions they take on your behalf ; you and your
company most certainly will. Two things that you must remember are:
42 | P a g e
You need to make sure that all monies, discounts, or gifts that are given
are relevant to the nature of the transaction, the environment, and the work
that’s being performed for you; and,
You must substantiate exactly where the money is going. You must
document it with a contract. If, for example, a foreign government says it
needs free product because it’s part of their quality testing procedures, that
needs to be an explicit part of the contract.
Because of the globalization of business, organizations—and not just the big
ones—are becoming increasingly distributed. This is in part, no doubt, to an
increase in outsourcing. Regardless, and as a function of this, businesses are
becoming increasingly decentralized. It’s far easier for a CEO to set the rules for
one group of ten buyers in one location than it is for him to set the rules for five
groups of two buyers in five different locations. This is especially so when you
consider his or her obligations to monitor their activities. Organizations that
attempt to operate in multiple countries with multiple transaction and/or decisionmaking points are at heightened risk. Consequently, organizations like this are in
greater need of the protection of a robust compliance and monitoring program.
43 | P a g e
Chapter 7 – Leveraging Internal Controls to Mitigate High Risk Areas
Internal control concepts aren’t always given the utmost degree of respect or
priority, despite the fact that they are designed primarily to protect corporate
officers, shareholders, and general stakeholders.
We’ve actually heard clients say, “Our counsel provided F CP A training, so I
think we’re okay. Accounting takes care of our internal controls.” Statements
like this are red flags, as they demonstrate an unsophisticated attitude
towards compliance. This general lack of expertise can manifest itself in
intensely dangerous ways.
We assume that you are now familiar with the core tenants of FSG § 8b2.1 and
recognize that training is but one small element in a program. In addition,
remember that that even training and internal controls together don’t constitute a
full-fledged compliance program.
Thin k about it in the follow ing contextual driving example . Let’s say you ’re
new to driving. You’ve never driven by yourself before, but you’ve been
provided automobile operator train ing. You now think you know what you’re
doing, but you’re still a little unsure. Well, regardless of what you do, there
are still a number of technological and mechanical features that serve as
controls to lim it error. F or instance, let’s say you’re on the highway and you
accidentally bump into the gearshift. Game over, right? Well, no. The car
company was provident enough to design the system against accidents like
that. In order to shift the car from Drive, the car has to be still and the driver’s
foot must be on the brake. This is an example of an internal control. The car
company trusts its drivers, but only so far. In order to maxim ize the safety of
their vehicle, and min im ize the risk of driving it, the company designed a
myriad of failsafe mechanisms to prevent a single incident from causing
disaster. Internal controls work the exact same way for your company. A well
designed and optim ized set of controls not only increases transactions activity
but makes it safer.
Training your personnel on FCPA, U.K. Bribery Act, and/or broader anticorruption /anti-bribery responsibilities is a fantastic start. But it’s only a start. How
does your Accounts Payable Department know that a sales commission to be paid
to an international agent actually matches the original contract signed by your
executive team? Because your sales team said, “OK to pay?”
Without proper internal controls, your business could suffer from a lack of
guidance and direction. While you can train your employees to operate efficiently
and ethically, you still have to set controls in place to ensure that these ideals of
44 | P a g e
ethics, efficiency, accuracy, and compliance are continually put into practice.
Internal controls will allow you to place trust in not only your employees, but also
in a number of failsafe systems set in place within your operations. This way, if a
single “system” fails, another will take its place. Let’s review some quick points
about effective internal controls.
Effective internal controls:
Are essential to the long term success of not only a compliance program,
but your business as a whole;
Relieve some of the stress associated with the ongoing management of
both employees and third parties;
Provide greater confidence that financial and managerial reports required
by DOJ and SEC are accurate;
Provide reasonable boundaries in which employees and third parties can
Add to the overall health and success of a company.
Truth be told, internal controls are occasionally viewed as a set of burdensome
rules and procedures (or added bureaucracy), which are designed to constrain how
a person conducts business. This couldn’t be further from the truth. In reality,
internal controls are essential building blocks of your Enterprise Risk Management
Internal controls promote a culture of honesty, so that individuals do not cheat or
steal from the company. Internal controls helps drive data integrity so that
reporting tells an accurate story about the transactions being executed. They will
also not only increase your ability to monitor the processes of your business, but,
in doing so, increase your employees’ and hired third-parties’ understanding that
they are responsible for their actions.
Every FCPA enforcement action on record (that we could find) indicated some
lack of internal controls, the extent to which directly impacted fines, penalties,
settlements, and time served. Had proper internal controls been set in place, the
severity of these consequences would likely have been lessened, and in many
cases could have been avoided altogether.
While most compliance practitioners will certainly be familiar with internal
controls as mechanisms of detection, the best internal controls help to prevent
compliance violations before they happen. Internal controls are a “structure of
checks and balances” that can :
1. Compensate for human ethical weakness; and,
45 | P a g e
2. Provide necessary support to individuals of integrity who are facing
More specifically, internal controls provide assistance to compliance regimes. In
other words, they are designed to not only prevent cheating but promote doing
business ethically. They’ll also aid you in the swift detection of any compliance
violations that are occurring behind closed doors.
Internal controls work by helping to set the expectations of the ethical behavior
which are required of a company’s employees. They do so in a couple of ways.
First, they narrow the scope for unethical behavior. They do this in tandem with
an increase in the risk of discovery and punishment. Having internal controls in
place also acts to train employees in proper practice and procedures. In their
constant guidance by management-implemented control systems, employees will
begin to act compliantly reflexively. Internal controls can also help protect
employees who report unethical behavior. This final point is not to be discounted
when considering the Dodd-Frank and Sarbanes-Oxley Whistleblower protections
and the Dodd-Frank whistleblower bounty.
Lastly, internal controls aren’t necessarily about rules and regulations as much as
they’re about a company’s operating culture. A commitment to internal con trols is
a commitment to doing business the right way. You’ll find that by establishing and
celebrating a culture of ethical business, these values will become instinctual and
self -fulfilling. By making compliance an eminent foundation of your business,
employees will adopt compliant attitudes in the workplace; these attitudes will
further feed the culture of your business. Internal controls are a vital aspect of this
The most effective controls are those embedded “in the line” of a transaction. This
means that they are being used directly by line management and not simply the
company’s finance or accounting group. In this manner, such internal controls have
become the responsibility of management and not simply a corporate function, like
Furthermore, when management is allowed to believe that Internal Audit “owns”
its internal controls (which they do not), an “us against them” mentality can
develop. Internal controls are management’s tools, not Internal Audit’s. It is
management’s responsibility to design, implement, and execute internal controls
with Internal Audit’s guidance as needed.
Audit’s primary responsibility is to assess the design and effectiveness of those
controls in the company’s pursuit to follow the original four areas as provided in
the Framework of the Committee of Sponsoring Organizations (COSO) of the
46 | P a g e
Treadway Commission. That is, internal controls should be designed to assist the
organizations ability to:
Execute strategic plans;
Operate efficiently and effectively;
Produce accurate financial and managerial reports; and,
Maintain compliance with policies, procedures, and applicable laws.
What executive wouldn’t be in favor of something that helps achieve his or her
personal, financial, and professional process goals?
As with a “safety f irst” doctrine, successful management teams have determined
that the activities elevated with internal controls are critical to efficient and
effective operations. With everyone working under predetermined and prescribed
principles of guidance, a sense of unity and camaraderie will quickly develop
between strategy teams, departments, and co-workers. Simultaneously, a company
implementing effective internal controls will tremendously mitigate its risk and
liability. Some of the positive contributions that internal controls provide include:
Limitation of asset loss from employee or third party theft;
Limitation of single point failures in management behavior by requiring
segregated duties and cross-functional review;
Preservation of accurate information allowing management to better run
its business; and,
Limitation of claims, judgments, lawsuits, and monetary damages.
Think, just for a minute, that the cost of an FCPA violation could be millions of
dollars. The financial stakes of potential lawsuits or theft could be even higher.
How much less would you have spent on effective internal control assessment and
design to begin with?
Simply put, internal controls are the governors that increase your likelihood of a
successful outcome, not much different than the feature in your car that prevents a
sudden, unwanted change from Drive to Reverse. They’re your safety net, the
automatic antivirus-software that continuously monitors your PC. With robust and
efficient internal controls set in place, the efficient operation and financial
buoyancy of your operations no longer exclusively hinge upon the vigilance of
Okay, okay. So internal controls are good —you get it. Now you want to know a
little bit about how to implement them, right? Well, consider the following internal
controls as tools to reduce higher risk areas of your anti-corruption /anti-bribery
47 | P a g e
Always conduct due diligence of third parties prior to engaging in a
relationship. Due diligence should be independently spot-checked as part
of a recurring audit program.
Make sure to verify all third-party business entities, including their
physical domicile and in-country business bank account(s).
Ensure that written obligations exist describing a requirement to comply
with the Company Code of Conduct, anti-bribery/anti-corruption laws. In
addition, make sure to execute any necessary training of employees.
Gifts/Hospitality, Travel and Lodging
Conduct pre-approval of the amounts of fered to third parties to ensure they
aren’t offered questionable gifts in the midst of competitive procurement.
Make sure that invoices/receipts are itemized and approved prior to
Establish written obligations for compliance with local law and define that
no items be offered to influence decisions.
Establish a process of pre-approval and matching for disbursements
related to commissions or marketing expenditures prior to disbursement.
Matching should consist of ties to an original contract, verifiable receipts,
and internal approvals to issue funds.
Strictly prohibit payments in cash or to private accounts.
Pricing, Discounts, and Commissions
Establish worldwide pricing and commission thresholds. Deviations from
such standards or the offering of free product should be approved by a
cross-functional group. Any modifications must be re-routed for signature.
Establish system-related internal controls that prevent the fulfillment of an
international order prior to clearance under the due diligence process.
These are all examples of strong internal controls. By fundamentally aiding their
ability to manage and lead, internal controls not only directly aid the company, but
its employees as well. Internal controls aren’t just about protecting Corporate’s
48 | P a g e
best interests. Internal controls are helpful for all members of an organization.
Sure, they help manage a company’s risk, but when you consider the fact that
internal controls also aid middle and lower-tier employees by guiding them in their
day-to-day efforts, a sounder picture begins to develop. Simply put, there is no
exclusivity on the benefits reaped by well-maintained internal controls; internal
controls help everyone do their job better. That’s why they’re so important.
49 | P a g e
Chapter 8: When the Government Comes Knocking
You get a call one day and a representative of the Federal Government tells you
that you and/or your company is being investigated for alleged bribery under the
Foreign Corrupt Practices Act. Don’t panic! Here’s what happens and some
Determine Who Is Investigating You
The DOJ is the government agency that has ultimate jurisdiction in FCPA cases.
However, there are typically several other agencies involved. Sometimes,
investigations are handled exclusively by the DOJ. However, extensive cases, or
those that involved undercover work, may require the oversight of the Federal
Bureau of Investigations (FBI). In addition, it is likely that the SEC would follow
up to investigate any books and records violations. In other countries, an
investigation could be subject to the local government and its laws. For example,
an investigation under the U.K. Bribery Act might be led by the UK Serious Fraud
Office (SFO). Regardless, your first step is to establish exactly who is investigating
Hiring an attorney is a critical step in the investigative process. This is to ensure
you are properly represented and that matters related to the investigation remain
privileged and confidential. Ideally, you should hire a firm that is experienced in
e-Discovery and anti-bribery/anti-corruption investigations. You also want said
firm to have considerable experience in both forensic evaluation and matters
pertaining to the SEC.
So, while your first reaction might be to call your existing corporate counsel, such
reaction might be a mistake. You need a firm that has depth and breadth to cover
the wide range of aforementioned areas. Independent counsel can be hired by the
executive team, your General Counsel, or the Board of Directors. This decision is
highly dependent on who is being investigated and what the investigation is about.
In most public company investigations, it is advisable for a party furthest from the
management action to retain counsel ( e.g., the CEO and /or the Board).
It is likely that the DOJ may not have the extent of resources needed to conduct a
thorough and extensive investigation on their own. To guide the process along, you
should consider your use of independent council and the earnestness of your
cooperation. Full cooperation with the DOJ and the retention of independent
counsel that can perform an investigation on the DOJ’s behalf is often met with
50 | P a g e
positive response. However, just because counsel was retained by the organization,
that does not permit the concealment of potentially pertinent information.
Transparency and full disclosure, where applicable, is a given and should be
handled appropriately by your counsel.
Isolate Your Possible Issue
If you suspect (even without full evidence) that a violation exists, it is important to
isolate the cause of the potential violation. Any action the company takes in
response should be carefully considered in the context of the investigation.
However, if one of your employees was charged, you may chose to put that
individual on administrative leave. If a severe situation develops, it is advised to
stop all deals with selected third parties and/or sales to a particular government.
If you chose to continue your business endeavors during the investigation, methods
should be established to ensure transactions are compliant then and in the future.
Obviously, any transactions made will be under heightened scrutiny during a
Federal investigation. During the course of the investigation , and for a period
thereafter, it may be a good idea to elevate your internal controls beyond normal,
practical operating standards. Think of your business like a sports team. Typically,
during practice, you want to ensure you’re playing by the rules. But when it’s
game-time, the rules carry an additional importance. When the officials are
watching and the cameras are rolling, you’re going to want to make sure that the
rules are a top priority.
Obtain an Independent Assessment of your Program
Alright, so you know who’s investigating you, you’ve hired counsel, and you’ve
identified the potential sources of the violation. Now, it’s time to assess where you
stand. Your counsel will likely hire a creditable audit firm that can be used to
independently evaluate your organization’s transactions and internal controls.
These reports should be provided directly to counsel and be maintained under
privilege. More importantly, this will likely become the foundation of your future
remediation project plan.
An independent evaluation could be quite exhaustive and consist of aggregating
multiple years of transaction activity. To whom did the company make sales
pitches? To whom did it sell product? Who contacted the company? What were
the details of all deals made? Which third parties were active in each engagement?
What discounts were given? Who authorized them? Yes, it’s a long list. But the
information gained from each and every one of these questions is indispensable.
You need to catalog everything: the flow of funds, as well as all paper and
electronic communication. This is the backdrop and environment from which you
51 | P a g e
want the investigation to proceed. The investigation can go in multiple directions,
but the two most likely courses that the DOJ will take are to: (1) follow the money;
(2) follow the communications.
Because, at its base, the FCPA and U.K. Bribery Act are about bribery, following
the money is critical. Your investigation could look at deals consummated , deals
not consummated, and all of the details therein. They might not just look at the
flow of the money, but how approvals were documented and how the transactions
were recorded. This could starts with the request for bid, the initial quote given,
the pricing offered versus what was paid, what was offered in addition to pricing,
and whether or not a formal contact was established.
They may also look at all the communications related to establishing the deal. This
may come down to individual emails. Were there any planned or unexpected trips
back and forth during the course of the deal? Were any gifts given? Travel and
entertainment reports could be examined to see if money or gifts were used for
inappropriate purposes. After a deal was consummated, was the company paid in
a timely fashion ? Where did the funds originate? When were the commissions
paid? What type of documentation suggests the payment of commissions? Were
the commissions sent to the business address or a home address? Were they split?
Remember, these are all questions that have to be answered for a single deal. You
can see how arduous and time-consuming a process this becomes from the
perspective of the company under investigation.
Part of the investigation may include an examination of archived email history.
This could include a number of searches related to terms related to the particular
deal. For instance, popular searches might be for the country name, the
salesperson’s name, the name of the product, and keywords like “discount” or
“bribe.” As evidence is slowly pieced together, a cohesive picture could slowly
Expectations for Length and Outcome of the Investigation
DOJ investigations are laborious. Often, the official investigation will continue for
several years after all of the actual investigative activity has been concluded and
all results have been shared. Even though they have nothing more to ask, the DOJ
has limited resources and will take its time as needed. They are going to tend to
gravitate toward the largest or most probable cases, so their resources could shift
around. Expect an investigation to be protracted and painful. In all likelihood, the
requests from investigators won’t cease until the investigation’s end.
A number of potential outcomes could come from the investigation. One is that
nothing happens (cross your fingers for this one). The others span the gamut of
52 | P a g e
potential legal ramification. In some cases, fines will be charged to the employees
and officers responsible—these are fines for which the organization may not pay.
Fines may also be levied against the organization itself. In situations, implicated
parties may be imprisoned. In the very severest of circumstances, the government
may appoint a “monitor” who is assigned to oversee all activities at your company
for a specific time, usually between two and four years.
53 | P a g e
Chapter 9: What Does It All Mean?
Paul McNulty—former Deputy Attorney General—often cites three questions he
would ask a company under inv estigation by the DOJ:
1. What did you do to prevent it?
2. What did you do to detect it?
3. What did you do after you found out about it?
The FCPA Guidance phrases these three points of emphasis slightly differently,
encouraging the tripartite of prevention, detection, and remediation in the
framework of your anti-corruption compliance program. The cost associated with
a failure to receive a “passing grade” on any of these questions can be
astronomical. This past year, two more companies entered the list Top Ten of alltime FCPA settlements: Total S.A, ranking in with $398 million in fines, and
Weatherford International with $152.2 million. That’s a lot of money.
The largesse of these fines mirrors a growing, global and popular sentiment against
bribery and corruption. In other words, while the considerable size of these fines
demonstrates extensive FCPA violations, it also demonstrates direct and extensive
efforts to fight bribery and corruption on a Federal level. The size of these fines
not only sends a message to the corporations to whom they are levied, but also to
all other would-be violators: the United States does not take bribery and corruption
What’s more, this general trend extends far beyond the boundaries of the United
States. For example, consider our past references to the Chinese enforcement
action against the British company GlaxoSmithKline in 2013. Here, Chinese
authorities introduced and enforced their own country’s domestic anti-corruption
laws, not a foreign -focused law such as the FCPA. This demonstrates a genuine
and uncontrived eagerness to battle corruption in the global market. No longer
does the United States stand out as one of few nations who staunchly stand against
bribery and corruption. Anti-corruption is now a global initiative.
The individual perspective of anti-corruption and due process is of an equal
importance. After all, a good deal of bribery and corruption occurs on an
individual, not corporate, level. However, even the most honest individuals may
become involved in something not-so-honest, either out of ignorance or just plain
bad luck, and the policies in many countries do not favor innocent bystanders. For
many western ex-pats who are considering working in internationally, this may
cause them to rethink whether or not they are willing be stationed in the country
for fear of being caught up in another country’s judicial system, which is a system
not known for protecting individual due process rights. This factor cannot be
54 | P a g e
overstated – because being imprisoned in a place like China is near the top of just
about anyone’s list of things you never want to experience.
Remember at the beginning of this book when we asked you to take out a piece of
paper and a pen and document your answers to selected questions? Now, let’s do
that again. This time, we’re going to provide the answers that we’ve presented you
throughout this book. Before you look to see what we’ve written, try it out on your
own. By comparing the answers you’ve written by memory and those we’ve
provided below, you’ll be able to identify any areas that you might want to revisit.
How does your organization limit the risk of non -compliance? Can you list the
We limit the risk of non -compliance with a multi-faceted program that includes a
balanced set of internal controls. These include:
A program that meets or exceeds the expectations set forth in the Federal
Sentencing Guidelines’ “Effective Compliance and Ethics program ”;
Detailed company policies and substantial in -person and on -line training
delivered through a corporate university;
In-depth vetting of third parties and high risk transactions;
Independent, cross-functional review of high risk disbursements; and,
A Business and Ethics Council and an appointed leader of compliance.
Do you know what the prevailing standard and U.S. Government’s expectations
are for a compliance program?
Yes, those standards include, paraphrased:
Leadership and Tone from The Top
A Commitment to Compliance – Beyond the Tone
Measurement: Set at Zero Tolerance; There is No Materiality Standard for
Corruption and Bribery
Standards and Procedures
Education and Training
Efforts to Exclude Prohibited Personnel – Due Diligence
Validation and Oversight
Can you point to (or touch) your compliance program? What about your Ethics
Yes. It is documented in our anti-corruption/anti-bribery program. This can be
found on our corporate intranet and it is delivered via in -person training to our staff
55 | P a g e
on an annual basis. Our Ethics Program is maintained by our Ethics Counsel and
led by our CEO. She has a copy of the Code of Conduct and supporting activities
of the organization.
How do you mitigate the risk of bribery?
We mitigate the risk of bribery through a series of policies, preventive and
detective internal controls, and an employee training program. These are
monitored independently on a periodic basis by our Internal Audit department.
Some of these policies include:
We introduce and enforce prohibited activities policy which prohibits
bribery facilitation payments or free goods to foreign officials;
We require a cross-functional review of discounts and commissions
outside of established, written standards;
We require a multi-point matching process in Accounts Payable that
compares contracts to executive approvals to requests for payment;
We strictly coach and audit business operations involving travel, gifts,
entertainment, and gratuities; and,
We do not allow single point approvals anywhere in the control
When was your last independent anti-corruption /anti-bribery program audit?
We’ve scheduled one for next quarter.
56 | P a g e
“Put simply, the prospect of significant prison
sentences for individuals should make clear to
every corporate executive, every board member,
and every employee that we seek to hold you
personally accountable for FCPA violations.”
Lanny Breuer, Assistant Attorney General, Criminal
Division, U.S. Department of Justice, February 2010
If you “believe” your organization is compliant because: (1) you
provided training; (2) you have an “honest” culture; or (3) because
a Federal investigator hasn’t told you otherwise, you may be
putting the corporate enterprise at increased risk. There is a big
difference between being “compliant” and having a “Compliance
Thomas Fox and Jon Rydberg provide practical lessons pertaining
to the FCPA, U.K. Bribery Act and broader Anti-Corruption /AntiBribery standards for Board Members, Chief Executive Officers,
General Counsel and other corporate executives who seek to
lower their enterprise risk profile by learning simple strategies
from tested compliance veterans.
Tom Fox Law